4 New "Extremely Critical" IE Vulnerabilities 1081
TopherTG writes "Buckle your seat belts folks. On what is looking to be the next Black Tuesday, with rumors of 9 new Windows security patches being released, Secunia is reporting on 4 new vulnerabilities in IE that allow for arbitrary code execution and placing content over other windows. Combined with the new Windows patches, it is likely more Download.Ject and Sasser like viruses will be emerging in the coming months."
Solution: (Score:2, Insightful)
Disable Active Scripting.
Use another product.
Why don't... (Score:5, Insightful)
Obligatory FireFox Boosterism (Score:5, Insightful)
http://slate.msn.com/id/2103152
Re:At what point... (Score:1, Insightful)
Re:Solution: (Score:5, Insightful)
Re:Interesting... (Score:3, Insightful)
But - (Score:3, Insightful)
No, a new one - RTFA (Score:2, Insightful)
Damned either way. Run Mozilla, if you aren't already.
At this point you really have to be a 100% Grade-A idiot to run IE.
Running as Admin (Score:2, Insightful)
Re:Excuse me while I cry... (Score:5, Insightful)
Built one of these, have you? (Score:5, Insightful)
Built one of these, have you? Do tell, do tell.
Will the masses heed the warnings? (Score:5, Insightful)
Just imagine if cars were sold with this many problems. Or home security systems...
simple answer (Score:5, Insightful)
Re:Black Tuesday? wth? (Score:0, Insightful)
Only GNU/Linux can be installed on computers in basements???
Re:IE is deprecated (Score:4, Insightful)
I've had the worst time being the only Linux guy in the office, and my cries have not completely fallen on deaf ears, as 2 of my co-workers have installed Firefox recently. But when i can talk to someone for less than 5 minutes about the pros and cons of Mozilla and open source browsing vs. IE, most of them nearly start sobbing with all their troubles.
People daily complain to me about the bot problems or spyware issues that they have. I was sympathetic and helpful for a time. But now I wanly smile and say "mozilla.org/firefox" and walk away. Those super-cool guys with browser problems can kiss my ass until they start listening to me, and the rest of the world.
Re:simple answer (Score:5, Insightful)
Because you lose business continuity (all those programmers have to stop doing what they were doing to rewrite the apps, then pick up again later on to waht they were doing, and hopefully haven't forgotten it all), as well as lost opportunities (all that new functionality they could have written instead of unIEfiying their webapps) and all the money the business units lose because they lost the use of the tools that were not developed.
Also, you have to assume that the programmers _can_ rewrite enterprise quality apps in non-browser specific code. That's a stretch as well.
Pulling a number out of my hat, I would say that less than 50,000 programmers in the US can write xhtml+ccs2 compliant code (not that they do--a lot less do, but at least they can.)
As far as companies being burned: suckers. They believed the FUD, bought it hook, line, and sinker, and now, they are royally funked. Oh well. I'll take that paycheck thank you very much.
Re:Running as Admin (Score:5, Insightful)
If Windows wasn't such a pain in the ass to run as a non-admin user, then this wouldn't be such a fundamental problem.
Re:Breaking News (Score:5, Insightful)
Re:No Surprise (Score:3, Insightful)
Management doesn't tell them to write buggy code (Score:3, Insightful)
If they can't code good software, that's their own damned fault and I don't feel bad for them.
Re:Why don't... (Score:3, Insightful)
Anyone called a "personality" doesn't have one.
Anything called a "solution" doesn't solve anything.
Re:Excuse me while I cry... (Score:3, Insightful)
Re:IE Developers (Score:5, Insightful)
No, they are idiots. Remember that simple BMP image buffer over-flow found when the leak of the Windows Source code ? [netsys.com]
That has nothing to do with upper-management decisions. More like Microsoft's human resources problem of hiring people from good colleges who lack real programming experience.
Sunny Dubey
Re:IE Developers (Score:4, Insightful)
Re:yeah, yeah. (Score:3, Insightful)
IE is NOT a web browser (Score:5, Insightful)
Now, taking the software that is responsible for interfacing with the OS and making it your default tool for interacting with the outside world was just plain stupid -- a marketing/legal department move to skirt the ruling that they couldn't bundle IE with Windows. Once done, however, almost any problem with IE becomes a root exploit. Surfing with IE makes this problem go from some risk to extreme risk. The only way to avoid this kind of escalation is to separate web broswer from OS interface: something MS doesn't want to do since then they are back to the bundling problem.
Doomed release (Score:2, Insightful)
Re:Alternative Browser Security Question... (Score:1, Insightful)
Re:Mainstream Media (Score:5, Insightful)
How come you guys are just sitting on your hands hoping the media picks it up instead of pooling your money together and getting a commercial on TV?
Re:pot calling (Score:2, Insightful)
Be Fair! (Score:5, Insightful)
IE works, it does some things well. Anyone who remembers many of my posts over the years knows I'm no fan of Microsoft, but their browser does work. Effectively it's not the browser that's broken, but their implementation and bundling. Where Mozilla or Opera are stand alone applications, IE has links directly into the OS which make the vulnerabilities. If Microsoft had simply played by the same rules everyone else had to, there would have been far fewer problems for them and far fewer embarassments for them.
When competitors and gadflies all pissed and moaned about Microsoft playing unfairly with this bundling strategy, which most of their non-directly-Operating-System software is built following, it wasn't the DoJ or courts that should have been listening, but Microsoft themselves.
Perhaps there should be a Darwin Awards for software, awarded to those companies which continually hoist themselves by their own petard.
Sasser Like Virus for IE? (Score:4, Insightful)
It's hard to stop laughing ... (Score:5, Insightful)
Posted by simoniker on Monday July 12, @05:02PM
MSN, Word Vulnerable To Shell: URI Exploit
Posted by timothy on Monday July 12, @07:42PM
4 New "Extremely Critical" IE Vulnerabilities
Posted by CmdrTaco on Tuesday July 13, @11:45AM
Microsoft Expects 1 Billion Windows Users by 2010
Posted by CmdrTaco on Tuesday July 13, @08:14AM
Is MS trying to be funny or something? Honestly, I really think you have to try to mess-up this badly this many times in such a short period of time... I can't believe a mainstream revolution leaving MS products isn't occuring...
When are the masses going to learn?
Sucks to be them (Score:5, Insightful)
There is nothing revolutionary, even using ActiveX, that can be done in IE that cannot be done by other means with non-IE browsers.
The only significant benefit to doing IE-only development is the streamlined development tools.
This reminds me of a story I heard as a kid... The Three Little Pigs. Sure you can build a straw house quickly, but is it a long-term solution?
Re:Be Fair! (Score:5, Insightful)
But I maintain that is very old by this point, and is not wearing its age very well. Security problems such as these indicate to me that Microsoft should really just sit down with their code at some point soon and fix what's wrong. IE at the core does have the potential to be a good browser, in that I agree with you, but in its present state, I just think that it's nowhere even close to being good, let alone the best.
The real problem? (Score:5, Insightful)
Re:Alternative Browser Security Question... (Score:4, Insightful)
Any complicated piece of software is bound to have some flaws, but the "dur.... let's have our web browser be able to run a 'format c:' from HTML tags! That's a great feature!" attitude at MS isn't helping their security woes. Apple and the Mozilla Foundation, on the other hand, seem to be taking security seriously, which probably means that, even had they the 95% market share, it's likely they would still have fewer viruses and security exploits.
So you're comparing Mozilla users' claims to better security to Apple users' claims is perhaps appropriate. However, implying that either of these claims are false is jumping the gun a bit.
Re:Built one of these, have you? (Score:3, Insightful)
Re:Why don't... (Score:4, Insightful)
Indeed. Still, though no software is perfect, I still think we'd be a lot safer on Firefox or any browser that doesn't so heavily tie itself to ActiveX and the Windows core.
>
Well, yeah, but let's not go the way of Homeland Security for the sake of tracking down script kiddies. One important step would be to require all code coming in from the Internet be signed. Now, you would have to know who published the code before we would install it. Also, any system that allows stuff to be installed in the background with no warning is dangerous. Windows could do like Mac OS X and require the user to enter their password before any system-level actions could be attempted. Also, they could use the Java sandbox idea where untrusted code is locked down.
The problem is not that dangerous code
Browser wars rock (Score:2, Insightful)
Re:Will the masses heed the warnings? (Score:3, Insightful)
Too many people ignore warnings for preventible problems, but will more likely change once they see for themselves how much their poor choices and habits cost them.
Re:Black Tuesday? wth? (Score:5, Insightful)
Now imagine Microsoft adopting a policy of releasing patches on a known day of the month. Imagine coming up with a corporate plan to handle those patches on a predetermined schedule.
You decide which is better.
Re:Be Fair! (Score:5, Insightful)
The rendering engine is slow (compared to Opera, so I'm a bit spoiled), the user interface is missing things that competitors have had for a while (mouse gestures? popup blocking? selective image/cookie blocking? tabbed browsing?), and it's got the aforementioned security issues.
IE stores each individual cookie and each individual cache object in its own file. I have seen computers (P2/350 on win98 with ~10K cache objects) get slowed to a crawl by this. Might be a good idea on reiserfs, but fat32 (and probably ntfs) choke and die on this.
Sure, there are websites that only work in IE. That's partly because people design them to be bug-compatible with it, and partly because any website that doesn't work in IE won't get published.
Re:Be Fair! (Score:2, Insightful)
Thanks to their monopolistic actions in destroying their for-profit competitors, there is now nobody capable of threatening Microsoft from the direction of browsers. (They only worried about Netscape for the potential of creating an alternative app-deployment platform; Mozilla is not a similar-scale threat).
So why on earth should Microsoft fix any of these problems?
People have to buy Windows. They get IE for free. If they go out and download Mozilla, why should Microsoft care?
One would think at this point that the 85% of slashdotters who cling to their childish cyberlibertarian views would at least acknowledge that this whole IE debacle would be less damaging if there were market incentives to which Microsoft might be more likely to respond.
Re:IE is NOT a web browser (Score:5, Insightful)
Exploit yes, root exploit, no, not unless the user is running as an Administrator. IE still runs at the privileges of the logged on user.
Re:Be Fair! (Score:5, Insightful)
As an old programmer, I recognize this as the great hazard of integrating applications into an operating system. Changes to the app require changes to the OS. Change the OS and you should test the app still works. It does get very long of tooth and requiring too much bubble gum and bailing wire to keep going as the becomes ever more fragile. This is why Microsoft, of all people, should have been wary of this practice.
I've been one not to bypass APIs and try tweaking operating systems, file structures, etc. manually as there's always the possibility the feature may cease to work or produce unexpected and disasterous effects. When Microsoft changes the OS the API should still work and largely does for those apps built upon it. All this messing about with the OS, though, when there are dependencies upon dependecies directly connected to the OS is bound to falter.
What Microsoft should do, but probably won't until it becomes excedingly painful (isn't it already? with the Dept of HL Sec. issuing an advisory against using it?) is start over and obey the developer rules they insist everyone else does, but they ignore.
Slighly OT, but underscoring the point I think: Years ago I anticipated with baited breath the arrival of Ultima V for the Amiga. I had an A2000 all decked out with HD, memory, all the toys. Comes the software and I find it behaves really oddly with the keyboard. A few inquiries reveals Origin Systems outsourced the coding to some house in the UK who ignored the APIs and coded to access the keyboard directly. Unfortunately their development platform was the A500, which handled the keyboard differently, thus all other versions had great problems. If they hadn't tried to be so damn clever it would have been a big success as a product and everyone would have been happy. As it was people like me saw red and wanted blood. The platform and software may change, but people still respond the same to betrayal. In this case it's Microsoft who has betrayed the customerbase as well as themselves on a very poor path of development decision making, attempting to outdo their competition.
Re:IE is NOT a web browser (Score:5, Insightful)
Re:Mainstream Media (Score:5, Insightful)
1) Write one or more versions of a news story (many, many stories in the media are dropped in essentially as they were delivered to the media). Hopefully this includes a "human interest angle", like Grandma Sally being redirected goatse.cx or giving up her CC number to ch.ase.com. Use only a minimal of substantive or technical details to avoid people who don't want to think through them. Yes, this is doing reporters' work for them, but that's how you get stuff in circulation when you're outside the loop.
2) Call (email might work, but probably not as well) the editors of Style/Living/Consumer Affairs pages of newspapers and TV stations and pitch em the story. Again, this is reporter work, but it gets the story in the news.
3) Lather, rinse, repeat. Fan the flames by providing more juicy details with human interest angles - disgruntled MS employee, evidence that problem is far wider than acknowledge "they don't want to you to know this...", speculations about apocalyptic collapses of the economy. Involve porn to feed the public's prurient side. Modify the story a bit for consumption by other stations/papers/etc as it evolves.
This is how most political scandals evolve - someone plants the story and fans the flames for a week or two in the public gets tired of it. To do real damage, you sync the stories with lulls in other news and cycles of public mood.
Re:IE is NOT a web browser (Score:5, Insightful)
That's not exactly true. IE is the web browser, and Explorer is the interface between the user and the windows OS. Windows is very modular in this respect, IE has an executable named "iexplore.exe," and windows explorer is "explorer.exe." "iexplore.exe" is located in the Program Files directory, "explorer.exe" is located in C:\Winnt or C:\Windows.
The two share a vast number of the same controls, and that is why you would think that IE is the same as Windows Explorer. Explorer sort of turns into IE if you try surfing to another site. The process keeps the same name, which leads me to think that IE is luanched as a thread or something. The About box changes, though, to reflect that it is IE that you are using, not Explorer.
The number of exploits that hit windows are caused by this amount of integration, and the sloppy programming that it was built with. It's the activeX component, or the COM control that has the flaw, and the processes just wrap that chunk of code. I imagine that if a flaw was found in KHTML, for instance, it would affect the Konqueror browser as well as Safari (isn't that the one that's KHTML based?). Thankfully, the source is out in the open with KDE, so exploits are typically taken care of with efficiency. Unless it's declared as a bug in Mozilla's bug-traq, and the devs don't want to do anything about it. But that couldn't possibly happen...
Re:Be Fair! (Score:3, Insightful)
The Darwin Awards should be for software companies that make stupid decisions and die; not one that makes stupid decisions and holds 96% of desktop marketshare.
-m
Re:IE is NOT a web browser (Score:4, Insightful)
Re:IE is NOT a web browser (Score:5, Insightful)
Praise Mozilla (Firefox) for having a single-directory non-administrator install. Intuit (Quicktax) can go to hell...
I'll stop ranting now. Micrsoft didn't help this with their lax security model in 95/98, but 3rd party software isn't helping the situation.
Re:It's hard to stop laughing ... (Score:4, Insightful)
When there is a VIABLE desktop alternative to Windows?
Re:IE is NOT a web browser (Score:5, Insightful)
Good one. You can't even run some MS developer software without root (hmm, Administrator) privileges! (eg. eVC++ 4.0). And let's not even start about non-MS software (eg, games). Using a MS box without administrative priv. is like having a car with no engine - nothing works!
Hell, when Administrative priv. are required, what does Windows software do? It pops up, "You have to be running as an Administrator to ...". It doesn't even ask you for Admin. password to complete its function. You just have to relogin. And thanks to the great "multi user capabilities", you have to log out of your current session first.
Running the OS as a non-Admin is like trying to run with pains-ticks up your ass. And then running as an Admin seems not much better (see story)!!
PS. I think MS's "Run As..." needs an extra 's'. At least 'su' works!!
Most users run with admistrator privs or in group (Score:3, Insightful)
the sad truth is that no one I know has folks set up as "Users" or "Limited Accounts" unless its a guest account. Also, any new computers that are purchased end up with XP asking for a person's name to set up an account. This account is always an account in the administrators group. 99% of XP users use this account at their primary, not understanding the difference.
In addition, those that do set up limited accounts many times discover that [insert pre-XP software package here] doesn't work with Limited accounts so they revert back, or they use the Power User account which is almost as bad as administrator.
Damned if you do, damned if you don't.
(a) folks
Re:It's hard to stop laughing ... (Score:3, Insightful)
Re:email to family members (Score:3, Insightful)
As a Canadian, why would my family care what the American Dept of Homeland Security says?
And just to add something, I did suggest it to them sometime ago.
Then the exploit for Mozilla came out, now they are asking me why they went through all the trouble of changing browsers.
Re:Black Tuesday? wth? (Score:2, Insightful)
Re:IE is NOT a web browser (Score:3, Insightful)
1. Standard apps (such as palm hotsynch) and many games don't work properly as non-root
2. I don't want to have switch user each time I need to do an administrator-level activity -- particlulary since brain-dead windoze takes a minute or more to do this even on a fast machine.
If only there were the Unix equivalent of 'sudo' or even 'su' then it would be much easier to run with user level privileges and only use administrator when you really need it.
Windoze is still a buggy, toy operating system relative to Linux or any other half-decent flavor of Unix...
Re:Be Fair! (Score:3, Insightful)
So, yes, in my previous reply I overstated a bit - there is _some_ competition from FOSS, but only in the sense that there's a failsafe if MS screws up incredibly badly. This is not normal market signals, though; it wouldn't take this near-disasterous state of affairs to get MS to pay attention if Netscape were actually a going concern.
Warning: Mindless drivel or not -- you decide (Score:3, Insightful)
How much longer is security through obsurity going to carry a clueless monopoly to its demise.
Patience has its virtue. But for the end-user, only fools would get lucky. Not this time, Bill.
I'm sticking with Firefox/Mozilla. Mozilla [mozilla.org]
Thank you open-source for opening my eyes to a better software through open-colloberation and open-cooperation. You've shatter my belief that corporation can fix after themselves.
Instead, we see tons of industries built upon MS insecurities.
Time to experience another industry bubble-burst, this time in the security sector, not I&T.
Re:Go text based! (Score:3, Insightful)
Also, w3m is a text browser with image support (no idea how, but it works)
Re:IE is NOT a web browser (Score:3, Insightful)
Then I guess even linux cannot save you from trojans/virus. Having different users for different purposes is the essence of security. Lusers who impulsively click every .exe and .scr need no admin rights.
Re:Built one of these, have you? (Score:5, Insightful)
Re:IE is NOT a web browser (Score:4, Insightful)
Even worse, on my WinXP box I've seen 3rd party software which requires Admin privs pretend to complete it's task, exit with no errors, but nothing was actually done! I've seen this mostly with software updaters.
One game in particular, Madden 2004, will tell an unpriveliged user that there are updates to install, pretend to apply them, and then turn around and say that there are still updates to install. When run as Admin, it says there are no updates available. So I don't even know if these updates are installed system-wide when done by Admin, or if the unprivileged user just doesn't get updated software.
But I don't know about the logging out part. With XP, at least, you can just switch users and keep the other user's applications still running.
runas is crap (Score:4, Insightful)
I hate runas, its nothing like su or sudo. Quick rant here, oracle installed with permissions so that only Admin could access the dir. I couldn't change it. Tried to do as I would in KDE and do:
runasto pop open an Admin explorer shell to change the permissions on the dir. Just doesn't work. Command ran and nothing happened. In KDE its just a simple
su root -c konqueror
or for mesudo konqueror
or even ALT+F2, konqueror, "run as different user: root" and enter the password. Had to close everything I was working on (this is my work computer with ssh sessions, code files, and RDP sessions open), log out and log back in as Admin just to simply add my user to the list of allowed users. User-Friendly my assRe:Black Tuesday? wth? (Score:4, Insightful)
> You decide which is better.
That depends on your goal..
If yoru goal is to get as many patches installed in as little time as possible, the planning oppertunities that MS gives are very nice..
When you are just interested in keeping your machines secure, and somehow you must run windows on them, then this policy is simply unusable since it will leave a much larger timeframe for exploitation.
Your boss may be interested in statistics when thigns work, but will still get pissed off about that one major security compromise regardless of those statistics.
Comment removed (Score:4, Insightful)
you need a history lesson (Score:5, Insightful)
UNIX has had a clean and simple separation between administrator and user privileges since the 1970's, and Linux uses the same mechanisms. UNIX and Linux have faced the most formidable opponent trying to break down that barrier over decades: the college student, who can spend hours a day trying to break into university systems. And they did. And UNIX developers fixed the bugs and adapted the security models.
The people who need a history lesson are Microsoft developers. They just started hacking some time in the 1980's, giving a damn about security or any of the other hard stuff. That kind of ignorance got hardcoded into Windows APIs, libraries, documentation, coding styles, frameworks, and instructional materials. That's why most third party developers for Windows put files all over the place and don't pay any attention to security either.
It's not surprising Microsoft and Microsoft developers managed to grind out popular GUI apps quickly--they cut corners on all the hard stuff and didn't even know it. The UNIX nerds at the same time were saying "this isn't the right way of doing it": they were looking 10-20 years down the road with the experience they already had, but because they were thinking long-term, Microsoft beat them on time to market and price. That's why Windows, and not UNIX, rules the desktop today. But ignorance and backwards-compatibility issues are catching up with Microsoft, and it seems quite likely to me that their fall is going to be just as spectacular as their rise.
Re:Education is needed (Score:3, Insightful)
I think that if I was to create boxed sets of viruses or harmful applications that simply wipe out a users data, stick them on store shelves, and give them an appealing slogan on the box, eventually some user would install that package on their computer. Now, can that be considered a hole in the os? I should think not, afterall the user intentionally installed the software. I think a similar argument can be made about ActiveX or XPI, just that these systems make it overly easy to get someone else's code running on your system. After all, that was what they were designed to do in the first place.
Once a program has warning windows telling the user to make sure they really want to run the code that the website has presented the program has done all it can to make sure only legit code is run. Now, I don't like ActiveX and think it is a large vulnerability but I think that at some point you really have to blame the user.
One thing MS needs to do is provide a warning that ActiveX (and other technologies) is about to be used the default setting (I like the way the XPI warning box in Firefox works). However, even if MS used a warning like this: "Warning! Clicking yes may seriously jepordize your computer and all the information on it!" people would still probably click yes without thinking, especially if they visit trused sites that use a lot of ActiveX.
I think at this point we should blame the user. After all, they are the one who is supposed to be in controll, the one telling the computer what to do. They should also be held accountable of making decisions that are healthy for the computer. I mean the human is infinetly more intelligent than the computer, so why should the computer be the one trying to think for the human? However, the sad truth is that most users are just not educated enough to make good desicions for themselves and their computers.
Re:IE is NOT a web browser (Score:3, Insightful)
Honestly, what's the point?
What advantage does the Windows Registry have over the "bunch of plain-vanilla ASCII configuration files" method that the Unices use?
Re:IE is NOT a web browser (Score:3, Insightful)
The reason that programs tell you that you have to be admin to do this but don't ask you for a password to continue, is becuase even if they had the password they couldn't do anything with it. Every time a user logs on [microsoft.com], a security primary token is created that can be used to create processes with the user's priveledges. Even if you know a user's password, those tokens cannot be created in an unprivileged process; a process requires the SeCreateTokenPrivilege [microsoft.com] to create primary tokens. By default, only the SYSTEM account has that privilege. Change it in the Local Security Settings snap-in, or the User Manager for NT4 and earlier.
Notice that runas and SUD [espci.fr] require a privileged service account that runs as SYSTEM. Windows installer can prompt you for a password because it has a service too.
Re:Built one of these, have you? (Score:5, Insightful)
features? like tabbed browsing? popup blocking, integrated search? do we see that in IE? the only features MS have added to IE in the last 5 years have been 'smart tags' and a bunch of 'enhancements' to the w3c dom, the scripting language, the html tags and so forth which, although they have earned me good money for my sins as a javascripter, just shit people off.
so with security taking *such* a backseat, can we ever expect IE to be secure? all i want is proper CSS and javascript support and i don't want to have to run a testing centre with 160 combinations of browsers and platforms (we had something approaching this at a place i used to work)
Oh fuck me sideways... (Score:3, Insightful)
I'm going to try very hard not to be mean. Seriously, did you (and everyone else who replied to the challenge to list one thing IE does better) not realize what you're saying???
These are IE-specific things!!! You're comparing apples and oranges. The only sane response is probably drag-n-drop bookmarks. Not IE-only CSS hacks! Look at it this way:
Seriously, that's what it sounds like. Next you'll say that IE is better because of Active-X. Who gives a shit if IE has some IE-only, embrace and extend version of CSS? That's not the mark of a better browser, that's MS using their market dominace to screw with standards just enough to lock-out competitors. I'm open to "participating in a creative discussion", but be creative.
Re:Oh, really? (Score:1, Insightful)
Re:IE is NOT a web browser (Score:1, Insightful)
If it's a conspiracy then it has been around for some time.
Re:Black Tuesday? wth? (Score:3, Insightful)
Now imagine Microsoft making products that are more manageable and secure from the start, so that releasing more than one patch per quarter is an extremely rare occurance, and updating is a simple procedure that only requires rebooting your server if you're updating the core of the operating system.
You decide which is better.
ATTENTION ALL SYS ADMINS: (Score:2, Insightful)
Asumming you have some control, your users have "user" rights. But YOU have "Admininstrator" rights too all \\workstations & \\servers...
All it would take is YOU clicking on the wrong link and bye-bye domain.
(as if your ego would allow you to assign yourself a meager 'user' account.)